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ABSTRACT 


The  structure  of  divide  and  conquer  algorithms  is 
represented  by  program  schemes  which  provide  a  kind  of 
normal- form  for  expressing  these  algorithms.  A  theorem  relat¬ 
ing  the  correctness  of  a  divide  and  conquer  algorithm  to  the 
correctness  of  its  subalgorithms  is  given.  Several  strategies 
for  designing  divide  and  conquer  algorithms  arise  from  this 
theorem  and  we  use  them  to  formally  derive  algorithms  for 
sorting  a  list  of  numbers,  evaluating  a  propositional  formula, 
and  forming  the  cartesian  product  of  two  sets. 


0.  Introduction 

The  advance  of  scientific  knowledge  often  involves  the  grouping  together  of 
similar  objects  followed  by  the  abstraction  and  representation  of  their  common 
structural  and  functional  features.  Generic  properties  of  the  objects  in  the 
class  are  then  studied  by  reasoning  about  this  abstract  character ization.  The 
resulting  theory  may  suggest  strategies  for  designing  objects  in  the  class  which 
have  given  characteristics.  This  paper  reports  on  one  such  investigation  into  a 
class  of  related  algorithms  called  "divide  and  conquer".  Me  seek  not  only  to 
gain  a  deeper  and  clearer  uiderstanding  of  the  algorithms  in  this  class,  but  to 
formulate  this  knowledge  for  the  purposes  of  algorithm  design.  The  essential 
structure  of  divide  and  conquer  algorithms  is  expressed  by  a  class  of  program 
schemes.  We  present  a  fundamental  theorem  relating  the  correctness  of  an 
instance  of  one  of  these  schemes  to  the  correctness  of  its  parts.  This  theorem 

1  The  work  reported  herein  was  supported  by  the  Foundation  Research  Frog ram 
of  the  Naval  Postgraduate  School  with  funds  provided  by  the  Chief  of  Naval 
Research. 


provides  a  basis  for  designing  divide  and  conquer  algorithms  in  a  formal  way. 

The  principle  underlying  divide  and  conquer  algorithms  can  be  simply 
stated:  if  the  problem  posed  by  a  given  input  is  sufficiently  simple  we  solve  it 
directly ,  otherwise  we  decompose  it  into  independent  subproblems,  solve  the  sub- 
problem s,  then  compose  the  resulting  solutions.  The  process  of  decomposing  the 
input  problem  and  solving  the  subproblems  gives  rise  to  the  term  "divide  and 
conquer"  although  "decompose,  solve,  and  compose”  would  be  more  accurate. 

We  chose  to  explore  the  synthesis  of  divide  and  conquer  algorithms  for 
several  reasons: 

Structural  Simplicity  -  Divide  and  conquer  is  perhaps  the  simplest  program 
structuring  technique  Wiich  does  not  appear  as  an  explicit  control  structure  in 
current  programming  languages.  Our  description  of  the  structure  of  divide  and 
coiquer  algorithms  is  based  on  a  view  of  them  as  computational  homomorphisms 
between  algebras  on  their  input  and  output  domains.  Careful  choice  of  program¬ 
ming  language  constructs  allows  us  to  express  divide  and  conquer  algorithms  con¬ 
cisely  and  in  accord  with  their  essential  structure  as  homomorphisms. 

Computational  Efficiency  -  Often  algorithms  of  asymptotically  optimal  complexity 
arise  from  the  application  of  the  divide  and  conquer  principle  to  a  problem. 
East  approximate  algorithms  for  NP-hard  problems  frequently  are  based  on  the 
divide  and  conquer  principle. 

Diversity  of  Applications  -  Divide  and  conquer  algorithms  are  common  in  program¬ 
ming,  especially  when  processing  structured  data  objects  such  as  arrays,  lists, 
and  trees.  Many  examples  of  divide  and  conquer  algorithms  may  be  found  in  texts 
on  algorithm  design  (e.g.  [1,11]).  Bentley  [3]  presents  numerous  applications 
of  the  divide  and  conquer  principle  to  problems  involving  sets  of  objects  in 
multidimensional  space. 

Che  of  our  goals  is  help  formalize  the  process  of  designing  algorithms  to 
meet  given  specifications.  Our  approach  in  this  paper  is  based  on  instantiating 
program  schemes  to  obtain  concrete  programs  satisfying  a  given  specification. 
Related  work  on  programming  by  instantiating  program  schemes  is  reported  in 
[4,5,7,8,15].  Aside  from  the  fact  that  we  are  concerned  here  with  only  one 
class  of  algorithms,  our  approach  differs  from  these  others  mostly  in  focusing 
on  formal  techniques  for  deriving  specifications  for  the  ui interpreted  operators 
in  a  program  scheme. 
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In  Section  1  we  seek  to  acquaint  the  reader  with  some  examples  of  divide 
and  conquer  algorithms.  Algebraic  notation  introduced  in  Section  2  is  used  to 
present  schemes  in  Section  3  characterizing  the  class  of  divide  and  conquer 
algorithms.  The  main  result  of  this  paper  is  a  theorem  showing  how  the  correct¬ 
ness  of  a  divide  and  conquer  algorithm  follows  from  its  form  and  the  correctness 
of  its  parts.  In  Section  4  we  discuss  the  top-down  design  of  divide  and  conquer 
algorithms  and  proceed  with  the  derivation  of  a  selection  sort  algorithm.  m 
Section  5  we  derive  algorithms  for  a  few  more  problems  including  the  evaluation 
of  Boolean  expression  and  finding  the  cartesian  product  of  two  sets. 


1.  Examples  of  Divide  and  Conquer  Algorithms 

Applications  of  the  divide  and  conquer  principle  are  most  naturally 
expressed  by  recursive  programs.  In  Figure  1  we  present  a  selection  sort  pro¬ 
gram  expressed  in  an  ad-hoc  functional  programming  language  (based  on  Backus'  FP 
systans  [2])  which  we  now  summarize. 

We  use  three  data  types:  B  (Boolean  values  TRUE  and  FALSE) ,  IN  (natural 
numbers  0,1,2,...  ),  and  LIST (IN)  (linear  lists  of  natural  numbers  e.g.,  nil, 

(3),  (5,2,2, 7)  ).  Any  element  of  these  types  is  called  an  object,  and  if 
x^...^  for  n>_0  are  data  objects  then  the  n -tuple  <x1,...,xn>  is  also  a  data 
object.  The  selector  functions  1,  2,...  return  the  first,  second,...  elements 
of  a  tuple  respectively.  For  example,  1:<3,4>=  3,  2:<3,4>=4. 

In  a  functional  programming  language  programs  are  viewed  as  a  hierarchy  of 
functions.  All  functions  map  a  data  object  to  a  data  object.  We  use  the  nota¬ 
tion  f:x  to  denote  the  result  of  applying  the  function  (program)  f  to  data 
object  x.  If  a  function  requires  n  arguments  for  some  n>l,  then  it  is  applied 
to  an  n-tuple  of  objects.  Ebr  the  natural  numbers  we  have  the  usual  addition 
function,  denoted  +,  and  the  comparison  operators  <,£,  =  ,/  ,£  ,>.  In  deference 
to  convention  we  allow  infix  notation  for  the  arithmetic  functions  and  rela¬ 
tional  operators,  thus  we  equivalently  write  "3+5"  and  "+:<3,5>".  On  the  data 
type  LIST(IN)  we  use  the  following  functions:  Nil,  which  returns  the  empty  list 
(denoted  nil);  List,  which  maps  a  natural  number  into  the  list  containing  it; 
First,  which  returns  the  first  element  in  a  list;  Rest,  which  returns  its  input 
list  minus  the  first  element;  Conr,  vhich  adds  a  number  to  the  front  of  a  list 
(e.g.  Gons:<2,  (5,4) >*  (2,5,4)  );  snoC,  (the  inverse  of  Cons)  which  returns  a  2- 
tuple  containing  the  first  element  and  the  rest  of  the  input  list  (e.g. 
snoC: (2,5,4)  *  <2,  (5, 4) >) ;  and  Length,  which  returns  the  length  of  a  list.  Ch 
all  types  we  use  Id  as  the  identity  function. 


m 


Ssort:xn  ■ 


Xg*nil  Xg  Q 

Xgj^nil  ->  Cons*  (Id X  Ssort) ‘Select :xg 


Select :x 


Restsx«nil  ->  snoC:x  Q 

Restsx  ?  nil  Compose*  (IdX  Select)  *snoC:x 


compose :  <v^ ,  <v2,z» 


vl— v2  <v1,Cons:<v2fZ»  Q 

vi>v2  -*■  <v2,Cons:<v1#z» 


Figure  1:  A  Selection  Sort  Program 


Functions  are  combined  to  yield  new  functions  via  the  following  combining 
forms.  f *g,  called  the  composition  of  f  and  g,  denotes  the  function  resulting 
frcm  applying  f  to  the  result  of  applying  g  to  its  argument. 

Ebr  examples  Length* Rests  (1,3,5)  »  Lengths  (Itests  (1,3,5)) 

-  Lengths (3,5) 


fXg»  called  the  product  of  f  and  g,  is  defined  by 

f  X  gs<x,y>  »<f  sx,gsy>. 

Ebr  examples  IdX  Lengths<3,  (1,3,5,7)>-  <3,4>. 

If  q^,  .../^  are  boolean  functions  or  constants  and  £j,..*,fn  are  functions  or 
data  objects  then 

if  qL  -►  fj_  0  ...  0  -»  fn  fi 

is  a  nondeterm inistic  conditional  form.  Oaring  evaluation  each  of  the  boolean 
functions,  called  guards,  are  evaluated.  If  any  of  the  guards  are  undefined,  or 
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if  none  of  the  quards  evaluate  to  TRUE,  then  the  value  of  the  form  is  undefined. 
Otherwise  one  of  the  guards,  say  q^,  which  evaluates  to  TRUE  is  nondeterministi- 
cally  selected  and  the  form  evaluates  to  fj  :x.  Ebr  example, 

if  <  -4  1  0  >  -4  2  fi 

is  a  simple  if-fi  form  mapping  IN  X  IN  into  IN  and  computing  the  minimun  of  two 
natural  numbers.  Ch  application  to  <2,3>  the  guard  evaluates  to  TRUE  thus 
the  form  evaluates  to  1:<2,3>*2.  Note  that  on  application  to  <3,3>  both  guards 
evaluate  to  TRUE  thus  either  branch  of  the  conditional  can  be  taken.  Although 
either  branch  can  be  taken  the  result  is  the  same  for  this  function. 

We  name  functions  by  means  of  definitions.  Ebr  example  we  can  name  the 
above  if-fi  form  Min  by  means  of  the  following  definition 

Min  ■  if  £  4  1  D  >  4  2  fi. 

Ebr  readability  in  definitions  we  allow  the  naming  of  arguments,  replace  selec¬ 
tor  f motion  applications  by  the  name  of  their  result,  and  pretty  print,  so  Min 
can  be  defined  by 

Min:<x,y>  *  if 

x£y  -4x0 
x>  y  -4  y 
fi. 

The  selection  sort  algorithm  in  Figure  1  works  as  follows.  If  the  input  is 
nil  then  nil  is  output.  If  the  input  is  non-nil  then  a  smallest  element  is 
split  off  and  then  prepended  onto  the  result  of  recursively  sorting  the 
remainder  of  the  input.  The  function  Select  evaluates  as  follows  on  the  list 
(2,5,1, 4) 

Select:  (2, 5, 1,4)  *  Compose* (Id X  Select) *snoC: (2, 5, 1,4) 

*  Compose*  (IdX  Select)  :<2,  (5,1,4)> 

*  Compose:<2,<l,  (5,4)» 

*  <l,Cons:<2,  (5,4)» 

-  <1, (2,5, 4)> 

where  Select:  (5,1,4)  evaluates  to  <1,(5,4)>  in  a  similar  manner.  Ssort  when 
applied  to  (2,5, 1,4)  evaluates  as  follows 


i 

Ssort:  (2, 5, 1,4)  *  Cons*  (IdX  Ssort)  ‘Select:  (2, 5,1, 4) 

»  Cons*  (IdX  Ssort)  :<1,(2,5,4)> 

|  *  Cons: <1, (2,4,5) > 

-  (1,2,4, 5) 

where  Ssort: (2,5,4)  evaluates  to  (2,4,5)  in  a  similar  manner. 

I  Ssort  and  Select  exemplify  the  structure  of  divide  and  conquer  algorithms. 

In  Ssort  when  the  input  is  nil  then  the  problem  is  solved  directly,  otherwise 
the  input  problem  is  decomposed  via  Select,  the  subproblems  solved  via  the  pro¬ 
duct  IdX  Ssort,  and  the  results  composed  by  Cons.  In  Select  when  the  input  has 
length  one  then  the  problem  is  solved  directly,  otherwise  the  input  is  decom¬ 
posed  via  snoC  into  a  tuple  of  subinputs,  the  subinputs  processed  in  parallel  by 
IdX  Select,  and  the  results  composed  by  Gbrapose.  We  call  Select  in  Ssort  and 
snoC  in  Select  the  decomposition  operators.  Cons  in  Ssort  and  Compose  in  Select 
are  called  composition  operators.  The  identity  function.  Id,  in  both  Ssort  and 
Select  is  called  an  auxiliary  operator. 

Why  introduce  new  language  features  here?  We  feel  that  the  importance  of 
divide  and  conquer  algorithms  is  justification  enough  to  require  that  a  program¬ 
ming  language  allow  their  concise  expression.  We  have  introduced  those  linguis¬ 
tic  features  which  allow  divide  and  conquer  programs  to  clearly  reflect  their 
essential  structure.  Ebr  example,  the  construction  of  decomposition  operators 
is  facilitated  by  allowing  functions  to  return  a  tuple  of  objects.  The  product 
form  allows  us  to  directly  express  parallel  processing  of  independent  subprob¬ 
lems.  In  conditionals  we  are  not  forced  to  determine  the  order  in  which  the 
guards  are  to  be  evaluated  -  they  are  conceptually  evaluated  in  parallel.  In 
addition,  the  language  simplifies  reasoning  about  and  designing  divide  and  con¬ 
quer  algorithms. 

2.  Algebraic  Concepts 
2.1  Program  Termination 

In  designing  divide  and  conquer  algorithms  we  shall  be  concerned  with 
ensuring  that  they  terminate  on  all  legal  inputs.  The  usual  method  for  showing 
the  termination  of  a  recursive  program  depends  on  the  existence  of  a  well- 
founded  ordering  on  the  input  domain. 

A  structure  <W,}»>  where  W  Is  a  set  and  ^  is  a  binary  relation  on  W  is  a 
well-founded  set  and  y  is  a  well-founded  ordering  on  W  if: 
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1)  }»  is  irreflexive:  ujj»u  for  all  uffw 

2)  is  assymetric:  if  u^v  then  v^u  for  all  u,v€w 

3)  ^  is  transitive:  if  u^v  and  v^w  then  u^w  for  all  urv(wCW 

4)  there  is  no  infinite  descending  sequence  UgX  ui^u2^***  *n  w* 

Ebr  example,  ]N  (natural  numbers)  with  the  usual  greater  tha  relation  >  forms 
the  well-founded  set  <1N,». 

A  recursive  program  P  with  input  domain  D  can  be  shown  to  terminate  on  all 
inputs  in  the  following  way.  First,  a  well-founded  ordering  )»  is  constructed 
on  D.  Then,  we  show  that  for  any  xfD  P  applied  to  x  only  generates  recursive 
applications  (calls)  to  inputs  x'  for  >hich  x^x'.  There  can  be  no  infinite 
sequence  xQ,x1,x2  ...  such  that  applying  P  to  xj  results  in  the  application  of 
P  to  +  i  for  i^O  since  the  well-founded  ordering  does  not  allow  xg^x^ 
...  « 

Proposition  1.  Let  E  be  a  set,  let  <W,^M>  be  a  well-founded  set,  and  let 
h:E  -»  W  be  a  function  from  E  into  W.  The  relation  ^E  defined  by: 

u^Eu'  iff  hfuj^whtu') 

is  a  well-founded  ordering  on  E. 

Proof:  1)  is  irreflexive  -  for  any  u,  h:ultyh:u,  but  then  by  definition 

u|.Eu. 

2)  }«E  is  assymetric  -  if  u^Eu'  then  h(u))»w  h(u')  and  h(u')  J^w  h(u) 
(by  assymetry  of  >»w)  thus  u'^tyU. 

3)  }»E  is  transitive  -  if  u^»Eu'  and  u'^Eu"  then  h(u)^wh(u')  and 

h(u' )  •  h(u)  J.yghtu")  follovys  by  transitivity  of  }»w,  then  uj.gu"  follows 

by  definition  of  ^E. 

4)  <E, ^E>  has  no  infinite  decreasing  sequence  -  if  uQ^E  u^g  u2}-E 
...  then  h(ug)}*w  h(u^) h(u2)  ^  ...  contradicting  the  well-foundedness  of 
<W>W>.  QED 

Proposition  1  enables  us  to  establish  a  well-founded  ordering  on  LIST(]N) 
(list  of  natural  numbers)  by  simply  finding  a  function  from  LIST(IN)  to  ]N.  A 
suitable  primitive  function  is  Length,  so  we  may  define 

x>-y  iff  Length:x  >  Length:y 
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for  all  x,y«  LISTON).  By  Proposition  1  we  conclude  that  <LIST(3N),^>  is  a 
well-founded  set. 


2.2  Many-Sorted  Algebras 

Algebraic  concepts  are  playing  an  increasingly  important  role  in  formulat¬ 
ing  the  fundamental  notions  of  computer  science.  In  this  paper  we  show  that 
divide  and  conquer  algorithms  can  be  usefully  characterized  algebraicly  as 
homomorphisms  between  appropriately  defined  algebras  on  the  input  and  output 
domains.  In  this  section  we  present  the  basic  terminology  of  many-sorted  alge¬ 
bras  based  on  and  extending  the  notation  of  ADJ  [9,10]. 

For  any  n€lN  let  n-  {l,2,...,n}.  As  usual  the  cartesian  product  of  :s 
Alr  A2,...,  Aj^  is  written  A^XAjX  •••  XAj^  and  denotes  {<a^,a2,...,an>  i  a j  < 
for  iCn).  Parentheses  are  used  for  nesting  so 

A1X(A2XA3)»  {<a1#<a2fa3»  I  a1«A1,  a2(A2,  a3tA3} 

the  set  of  2-tuples  whose  first  component  belongs  to  Ap  and  whose  second  com¬ 
ponent  belongs  to  A2XA3. 

Generally,  we  use  the  term  many-sorted  algebra  to  denote  a  collection  of 
sets  equipped  with  operators  defined  on  cartesian  products  of  the  sets.  Let  S 
denote  a  nonempty  set  of  symbols  called  sorts  and  §(S  be  a  distinguished  sort 
called  the  principal  sort.  A  finite  3-or tented  S-sorted  signature  2  is  a  finite 
set  of  operator  symbols  {<t1,...,ot},  r^l,  where  for  l£i<  r,  <ri  has  type  <wi,3> 
where  wi€S*  and  wi  *  wi1...win^,  n^>0.  Let  <Ag>g|S  be  an  S- indexed  family  of 

sets.  If  w€S*  and  w*WjW2...wn  then  Aw  denotes  the  cartesian  product 

XA„  X**.XA.  .  Letting  X  denote  the  empty  string,  A^  denotes  the  set 
W1  2  wn 

consisting  of  the  0-tuple,  {<>}.  A  ^-algebra  A  consists  of  a  family  of  sets 
^sfS  called  the  carriers  of  A,  and  a  set  of  operators  denoted  diA  i*l,...,r, 
where  <TiA:Awi  A^.  A^  will  be  called  the  principal  carrier  of  A.  A 

algebra  A  will  be  written  A  =  <{c^,...,Ck},{fl,  ...,fr}>  where  Clf...,Ck  are  the 
carriers  of  A  and  fl,...,fr  are  its  operators.  A  2 -algebra  will  be  called  a 
composition  algebra . 

We  shall  be  interested  in  composition  algebras  which  1)  allow  each  element 
of  the  principal  carrier  to  be  expressed  as  a  composition  of  other  elements,  and 
2}  compose  smaller  elements  into  larger  elements.  For  example,  on  the  domain 
LISTON )  consider  the  operators 

Nil:  LIST  ON)  (e.g.,  Nil:0  =  nil) 


ListrlN  -»  LIST(IN)  (e.g.,  List:3  *  (3)  ) 

Cons :  IN  X  LIST  (IN)  LIST  (IN)  (e.g.,  dons : <3, (1,4) >  *  (3,1,4)  ). 

Every  list  of  natural  numbers  can  be  expressed  as  either  a  composition  by  Cons 
(Cbns:<i,y>  for  some  if  IN  and  yfLIST(lN))  or  by  Nil,  thus 

<  {LIST  (IN),  IN},  {Cons,Nil}> 

is  a  composition  algebra  J5or  LIST(IN).  fbr  the  domain  LIST(lN)-nil,  the  opera¬ 
tors  Cons  and  List  allow  expression  of  each  non-nil  list  as  a  composition  by 
Cons  (Cons:<i,y>  for  some  if  IN  and  yf  LIST  (IN ) -nil)  or  by  List  (List:i  for  some 
if  IN),  thus 

<{LIST(1N  )-nil,lN  } ,  {Cons,List}> 

is  a  composition  algebra  for  LIST  (IN) -nil. 

Let  A  and  B  be  E-algebras  and  let  H=  <hs>s^ g  be  an  S-indexed  family  of 

f motions  v*iere  for  each  sfS,  hs:Ag  Bg.  If  w=  WjWj. •  »w^  let  hw  denote  the 

product  function  it,  Xh„  X...X  h^  .  Thus  if  afAw  then 
W1  w2  n 

hw;a  =  <hWi:a1,  h^-.aj,  ...,  h^san>. 

h**  denotes  the  unique  function  mapping  A^  to  B^,  also  written  Id^. 
H=  <hg>s^  g  is  a  (SE-) homomorphism  from  A  to  B  if  for  each  operator  symbol  <ri 
and  af  Awl 


hs*<TiA:a  =  0>B*hW1  :a  * 


i.e.  the  diagram  in  Figure  2  commutes. 


Figure  2:  Commutative  Diagram  of  a  £E -homomorphism. 
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A  2  ”  ^-algebra  A  is  a  family  of  sets  <Ag>s^  s  and  operators  o,iA:  A  ->  Aw* 

5 

for  each  l£i£r.  A2-1-algebra  will  be  called  a  decomposition  algebra.  We 
shall  be  interested  in  decomposition  algebras  which  1)  allow  each  element  of  the 
principal  carrier  to  be  decomposed  into  other  elements,  and  2)  decompose  larger 
elements  into  smaller  elements.  Ebr  example,  on  the  domain  LIST(3N)  we  can 
define  operators  «hich  are  the  inverses  of  the  composition  operators  considered 
above. 

liN:LIST(3N )  ■+  (e.g.  liNsnil  *  O  ) 

tsiL:LIST(3N)  -» ]N  (e.g.  tsiL:  (3)  =  3  ) 

aioC:LIST(3N)  INXLIST(IN)  (e.g.  snoC:(3,l,4)  *<3,(1,4)>  ) 

Every  list  of  natural  numbers  can  be  decomposed  either  by  snoC  or  liN,  thus 

<{LIST(1N)  ,W},  {sioC,liN}> 

is  a  decomposition  algebra  for  LIST(]N).  Ebr  the  domain  LIST(U )-nil,  the 
operators  snoC  and  tsiL  allow  the  decomposition  of  each  non-nil  list  into  non- 
nil  lists  and  natural  numbers,  thus 

<{LIST(lN)-nil,]N},  {snoC,tsiL}> 


is  a  decomposition  algebra  for  LIST (Hi ) . 

Let  A  be  a  2  ~  1 -algebra,  B  a  2-algebra,  and  let  H=<hs>s^g  be  an  S-indexed 

family  of  functions  such  that  for  each  sCS  hs:As-»Bg.  H  is  a 

homomorphism  from  A  to  B  if  for  each  x€A  such  that  <rA:x  is  defined 
-  §  A 

hg:x  *  crB-hw-aA:x  (2.1) 

i.e.,  the  diagram  in  Figure  3  commutes.  Ebr  example,  let  S=  {c,§}  and  let 


Figure  3:  Cbmmutative  Diagram  of  a  2  ”  ^-homomorphism. 
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2  3  {xl,<x2}  be  a  S -sorted  signature  v4iere  <rl  has  type  <X,S>  and  <t2  has  type 
<cS,S>.  Consider  IS  and  LC  which  are  2  ~  ^  and  2 -algebras  respectively  vhere: 

LS»  <{01,1137(14)},  {liN,Select}> 

LC  »<{1N  ,  LIST  (IN)}  ,  {Nil, Cons}  >. 

LS  has  carriers  LS_  =  IN  and  IS  =  LIST  (IN)  and  operators 
c  £ 

Select:  LIST(IN)  IN  X  LIST  (IN)  and 
liN:LIST(IN)  {<>}. 

Select  splits  a  list  of  natural  numbers  into  its  least  element  and  the  rest  of 
the  list  as  discussed  earlier.  LC  has  carriers  LC  =  IN  and  EC,  =  LIST  (IN )  and 

operators 

Cons:  INXLIST(IN)  LIST(IN)  and 
Nil:  {O}  LIST  (IN )  . 

Letting  h  be  the  f  met  ion  Sort,  vdiich  sorts  a  list  of  numbers,  and  h_  the  iden- 
§  c 

tity  function  Id,  we  have  a  natural  homomorphism  from  LS  to  LC.  First,  Sort  and 
Id  have  the  required  domains  and  codcmains: 

Id:  IN  IN  (hc:LSc-»  LCc) 

Sort:LIST(lN)  -»  LIST  (IN)  (h  :LS  LC  ) 

§  S  § 

and  the  homomorphism  condition  (2.1)  is  satisfied:  for  any  x€  LIST  (IN)  such  that 
liN:x  is  defined  (i.e.  x=nil) 

Sort:x  *  Nil*Id<>*liN:x  (h  :x  =  o'lLC*h^*<7lLS:x) 

S 

and  for  any  x®LIST(lN)  such  that  Select:x  is  defined  (i.e.  x^nil) 

Sort:x  =  Cons*  (IdX  Sort)  *Select:x.  (h^:x  =  <x2IjC*hc^*<y2I_s:x) 

This  homomorphism,  of  course,  is  the  essence  of  a  selection  sort  algorithm. 
Wham  the  input  x  is  nil  we  can  sort  directly,  otherwise  we  decompose  x  into  a 
number  i  and  a  list  y,  sort  y,  then  Cons  i  onto  the  result. 


In  this  section  we  present  notation  expressing  the  font  (via  program 
schemes)  and  function  (via  specifications)  of  divide  and  conquer  algorithms.  We 
also  present  a  fundamental  theorem  showing  how  the  functionality  of  a  divide  and 
conquer  program  follows  from  its  form  and  the  functionalities  of  its  parts. 
First  we  consider  the  expression  of  functionality. 

3.1  Specifications 

Specifications  are  a  precise  notation  for  describing  the  problem  (or  func¬ 
tion)  we  desire  to  solve  without  necessarily  indicating  how  too  solve  (or  com¬ 
pute)  it.  Fbr  example,  the  problem  of  decomposing  a  list  of  natural  numbers 
into  its  smallest  element  and  the  remainder  of  the  list  may  be  specified  as  fol¬ 
lows. 

Select :x *  <i,z>  such  that  x^ nil  — *  i£Bag:z  A  Bag:x»  Add:<i ,Bag:z> 
where  Select:  LIST  (IN)  -*  IN  X  LIST  (IN). 

The  problem  is  named  Select  which  is  a  function  from  lists  of  natural  numbers  bo 
2-tuples  consisting  of  a  natural  number  and  a  list.  Naming  the  input  x  and  the 
output  <i,z>,  the  formula  "xynil",  called  the  input  condition,  expresses  any 
restrictions  on  the  inputs  we  can  expect  bo  the  problem.  The  formula  "i£Bag:z 
A  Bag:x=* Add:<i,Bag:z>",  called  the  output  condition,  expresses  the  conditions 
under  which  <i,z>  is  an  acceptable  output  with  respect  bo  input  x.  The  function 
3ag  maps  a  list  into  the  bag  (multiset)  of  elements  contained  in  it  (e.g. 
Bag:  (1,5, 2,2)  *  {1,5, 2,2}  »  Bag:  (1,2, 5, 2)  ).  i£Bag:z  asserts  that  each  element 

in  the  list  z  is  no  less  than  i.  The  function  Add:<i,b>  returns  the  bag  con¬ 
taining  i  in  addition  to  all  elements  of  bag  b.  Bagtx*  Add:<i,Bag:z>,  asserts 
that  the  multiset  (bag)  of  elements  in  the  input  list  x  is  the  same  as  the  mul¬ 
tiset  of  elements  in  z  with  i  added. 

Generally,  a  specification  IT  has  the  form 

TT  :x=  z  such  that  I:x  =*»  0:<x,z> 
where  TT :  D  -»  R. 

We  ambiguously  use  the  symbol  TT  to  denote  both  the  problem,  its  specification, 
and  a  solution  to  the  problem.  Here  the  input  and  output  domains  are  D  and  R 
respectively.  The  input  condition  I  expresses  any  properties  we  can  expect  of 
inputs  to  the  desired  program.  Inputs  satisfying  the  input  condition  will  be 
called  legal  inputs.  If  an  input  does  not  satisfy  the  input  condition  then  we 


don't  care  what  output,  if  any,  the  program  produces.  The  output  condition  0 
expresses  the  properties  that  an  output  object  should  satisfy.  Any  output 
object  z  such  that  0:<x,z>  holds  will  be  called  a  feasible  output  with  respect 
to  input  x.  More  formally,  a  specification  IT  is  a  4-tuple  <D,R,I,G>  where 
D  is  a  set  called  the  input  domain, 

R  is  a  set  called  the  output  domain, 

I  is  a  relation  on  D  called  the  input  condition,  and 
0  is  a  relation  on  DXR  called  the  output  condition. 

Program  P  satisfies  specification  TT  ■  <D,R,I,Q>  if 

VxCD(I:x  0:<x,F:x>] 

is  valid  in  a  suitable  first-order  theory,  i.e.,  if  on  each  legal  input  F  com¬ 
putes  a  feasible  output. 

Let  s  be  a  set  of  sorts  with  principal  sort  3.  TT  *  <E,T,J,P>  denotes  an 

S- sorted  family  of  problems  where  E  and  T  are  S-sorted  families  of  sets,  for 

each  sf  S  Jg  is  a  relation  on  Es  and  Pg  is  a  relation  on  EgXTs.  For  each  s€S 

let  TTS,  called  a  component  problem,  denote  the  problem  specification 

<ES,TS,JS,PS>.  TT  will  be  called  the  principal  problem  and  for  each  s€S-§  TTg 
s 

will  be  called  an  auxiliary  problem. 

3.2  The  Form  of  Divide  and  Conquer  Algorithms 

Let  S  be  a  sort  set  with  principal  sort  s  and  let  2  be  a  finite  §-oriented 
S-sorted  signature  where  2-  {b!,...,ot},  r.>l,  and  for  l£i£r,  <yi  has  type 

<wi,§>  where  wi€S  and  wi  »  wi1...win^,  n^>  0.  A  ]>-divide  and  conquer  algorithm 

has  the  form 

f  :x  *  if 
§ 

q^:x  -»  <TLr»fwl*0’lg:xO 

•  •  • 

qr:x  -»  <TrT«fwr*ffrE:x 
fi. 


where 

1.  E  is  a  2  ~  ^-algebra 


2.  T  is  a  2-algebra 

3.  F=*<fs>3^g  is  an  S-indexed  family  of  functions  tf'.ere  fs:Eg-»Ts 


4.  qt  for  i«  £_,  is  a  predicate  on  E  . 
1  s 


The  operators  in  E  and  T  are  called  the  decomposition  and  cc 
respectively.  Each  f_  for  s€S-§  is  called  an  auxiliat 


Lon  operators 


function  and  f  is 


called  the  principal  function.  In  these  terms  the  program's  behavior  can  be 
described  as  follows:  Given  input  x,  a  guard  which  evaluates  to  TRUE  is 
selected  nondeterministically.  Input  x  is  decomposed  by  the  decomposition 
operator  cig  into  a  tuple  of  subinputs.  This  tuple  is  then  processed  in  paral¬ 
lel  by  the  function  product  f**  and  the  results  composed  by  the  composition 
operator  <riT.  In  order  for  the  algorithm  to  terminate  not  all  the  branches  of 
the  conditional  can  contain  recursive  calls.  The  nonrecursive  branches  treat 
with  those  inputs  vhich  can  be  solved  directly. 

If  we  view  the  guards  q^  for  it  jr  as  characterizing  the  set  of  inputs  on 
which  the  corresponding  decomposition  operator  oriE  is  defined,  then  the  divide 
and  conquer  algorithm  clearly  expresses  F  as  a  homomorphism  from  the  decomposi¬ 
tion  algebra  E  to  the  composition  algebra  T. 

3.3  Correctness  of  a  Divide  and  Conquer  Algorithm 

The  main  theoretical  result  of  our  paper  is  the  following  theorem  which 
shows  how  the  correctness  of  the  whole  divide  and  conquer  algorithm  follows  from 
the  correctness  of  its  parts.  Conditions  (1) ,  (2) ,  and  (3)  of  Theorem  1  simply 
provide  the  form  of  a  specification  for  the  parts  of  a  5-divide  and  conquer 
algorithm.  The  most  interesting  condition  is  the  "separability"  condition  (4) . 
It  is  the  principal  link  between  the  functionality  of  the  algebras  E  and  T,  the 

A 

auxiliary  problems  TTS,  and  the  given  principal  problem.  In  words  it  states 
that  if  input  Xg  decomposes  into  subinputs  Xp  ,  ,xn,  and  Zp  . ..,zn  are  feasi¬ 
ble  outputs  with  respect  to  these  subinputs  respectively,  and  Zp...,zn  compose 
to  form  Zg  then  Zg  is  a  feasible  solution  to  input  Xg.  Loosely  put:  feasible 
outputs  compose  to  form  feasible  outputs.  Condition  (5)  asserts  that  for  each 
legal  input  at  least  one  of  the  giBrds  holds. 


Theorem  1:  Let  S  be  a  set  of  sorts  with  principal  sort  §  and  let  5  be  a  finite 
3-oriented  S-sorted  signature.  Let  E  be  a  5  _  ■‘•-algebra ,  T  be  a  5-algebra,  TT  a 
S- sorted  family  of  specifications,  F  a  S-sorted  family  of  functions  where  for 
each  s#S  fs:Eg-»Ts.  Let  ^  be  a  well-founded  ordering  on  and  for  each  itlr 

let  Oip  and  0iT  be  relations  on  E^w*  and  T^*  respectively.  If 


(1)  (Specification  of  Og)  the  decomposition  operator  dlE,  for  i»  l,...,r 
satisfies  the  specification 

<riE:x0*<x1,...,xni>  sudi  that  qt:x0  A  J&:x0  ^ 

jtfn  (JwijSXj  ^  (wij*S  x0>.Xj„  A  OiEs<x0,x1/...,xni> 

where  oy:E^  -»  Ewi 
E  3 

(2)  (Specification  of  <tt)  the  composition  operator  oiT,  for  i  r 

satisfies  the  specification 

0‘iT:<z1,...,zn^> * Zq  such  that  OiT:<z0,z1,...,zn^> 

where  o,T:'Iw*  ->  T 
1  3 

(3)  (Solutions  to  Auxiliary  Problems)  for  each  sCS-3  fg  satisfies  specifi 
cation 

TTSSX*  z  such  that  Jg:x  Pg:<x,z> 
where  TT  s : Es  — >  Tg. 

(4)  (Separability  of  P)  the  following  formula  is  valid  for  each  i€r: 

V  ^XQ#X^/.«.#Xn^>C  E^**^  <ZQfZ^f 

[OiE:<Xo,Xi . xni>  A  ^  pwij:<xj^j>  A  OiT:<z0,Zl,...,zni>  = 

P§:<x0»z0>] 

(5)  (Definition  of  the  gimrds)  For  all  x€E  J  :x  V  qi:x 

§  §  jd£ 

then  the  divide  and  conquer  program 


f  :x  »  if 
3 


q^x  o,lT*fwl*o,lE:x  Q 
•  •  • 

qr:x  -»  o,rT*fwr*crE:x 


satisfies  specification  IT  *  <E  ,T  ,J  ,P  >. 

3  3  3  3  3 

Proof:  lb  show  that  f  satisfies  TT  .  *  <E  ,T  ,J  ,P  >  we  will  prove 
-  3  3  3  3  3  3 


by  structural  induction2  on  E  . 

s 

Let  x  be  an  arbitrary  object  in  E  such  that  J  :x  holds  and  assume  (induc- 

s  s 


tively)  that  J^:y 


P:<y,f  :y>  holds  for  any  y€E  such  that  x^y.  From  J  :x 

S3  S 


and  condition  (5)  it  follows  that  q^:x  holds  for  some  il  r_.  By  the  semantics  of 
the  if-fi  construct  f  sx  can  evaluate  to  oiT*fwi»o,iB:x.  We  will  show  that 

S 

P  :<x,f  :x>  by  using  the  inductive  assumption  and  modus  ponens  on  the  separabil- 
s  s 

ity  condition.  Since  q,:x  A  J  sx  holds  and  olE  satisfies  its  specification  in 
condition  (1) ,  the  output  condition  of  <rB  also  holds.  Let  oriB:x*  <x^,  ...,xn^>. 
We  have  for  each  j  •Hi  Jwi-t:xj*  Consider  Xj  for  each  j€nj.  If  wij^S  then  by 
condition  (3) 


Jwij:xj 


?wij:<xj^fwij!xj> 


If  on  the  other  hand  wi  •  =»  S 


and  we  infer  by  modus  ponens  KXj^f^  :Xj>. 
then  by  condition  (1)  we  have  xQ J.x j  and  thus  by  our  inductive  assumption 

Jwij:xj  **  pwij:<xj,fwi j!Xj>* 

Agfa in  we  infer  Pwi >:<Xj»fwj ,;Xj>  by  modus  ponens.  By  condition  (2)  we  have 


Oii^s^rii|ii^£^  ^<x^ 


twin;An''l-wi1'***'fwin> 


where 

<rLT*<e«d1*xl*  —  'fwin*xn>*fg!X* 

We  have  now  established  the  antecedent  of  condition  (4)  enabling  us  to  infer 

P  :<x,  f  :x>.  QED 
§  3 

Notice  that  in  Theorem  1  the  form  of  the  subalgo rithms  oiE,  <yiT,  and  fs  for 
s€S-§  is  not  relevant.  All  that  matters  is  that  they  satisfy  their  respective 
specifications.  In  other  words,  their  function  and  not  their  form  matters  with 
respect  to  the  correctness  of  the  whole  divide  and  conquer  algorithm. 

2  - 

Structural  induction  on  a  well-founded  set  <W,^>  is  a  form  of  mathematical 
induction  described  by 

Vxfw  VylW(x^y  A  Q:y  Q:x]  Vx€w  Q:x 


i.e.,  if  Q:x  can  be  shown  to  follow  from  the  assumption  that  Q:y  holds  for  each 
y  such  that  x^y,  then  we  can  conclude  that  Q:x  holds  for  all  x. 


Design  is  a  goal -directed  activity  and  this  is  the  primary  reason  for  the 
importance  of  top-down  design  methods.  One  form  of  top-down  design,  which  we 
call  problem  reduction,  may  be  described  by  a  two  phase  process  -  the  top-down 
decomposition  of  problem  specifications  and  the  bottom-up  composition  of  pro¬ 
grams.  In  practice  these  phases  are  interleaved  but  it  helps  to  understand  them 
separately.  Initially  we  are  given  a  specification  IT .  In  the  first  phase  we 
create  an  overall  program  structure  for  IT ,  which  fixes  certain  gross  features 
of  the  desired  program.  Some  parts  of  the  structure  are  at  first  underdeter¬ 
mined  but  their  functional  specifications  are  worked  out  so  that  they  can  be 
treated  as  relatively  independent  subproblems  to  be  solved  at  a  later  stage. 
Next  we  work  in  turn  on  each  of  the  subproblem  specifications,  and  so  on.  this 
process  of  creating  program  structure  and  decomposing  problem  specifications 
terminates  in  primitive  problem  specifications  which  can  be  solved  directly, 
without  reduction  to  subproblems.  The  result  is  a  tree  of  specifications  with 
the  initial  specification  at  the  root  and  primitive  problem  specifications  at 
the  leaves.  The  children  of  a  node  represent  the  subproblem  specifications 
written  (or  derived)  as  we  create  program  structure. 

The  second  phase  involves  the  bottom-up  composition  of  programs.  Initially 
each  primitive  problem  specification  is  solved  to  obtain  a  program  (which  is 
often  a  programming  language  operator).  Subsequently  whenever  each  of  the  sub¬ 
problem  specifications  generated  viien  working  on  specification  TT  have  solu¬ 
tions,  these  subproblem  solutions  are  assembled  into  a  program  for  TT. 

We  advocate  [13,14]  a  formal  counterpart  to  the  problem  reduction  approach 
based  on  the  use  of  program  schemes.  A  scheme  provides  a  standard  overall 
structure  for  the  desired  program  and  its  uninterpreted  operator  symbols  stand 
for  the  underdetermined  parts  of  the  structure.  To  use  a  scheme  we  require  a 
corresponding  design  strategy.  Given  a  problem  specification  TT  a  design  stra¬ 
tegy  derives  specifications  for  subproblems  in  such  a  way  that  solutions  for  the 
scbproblems  can  be  assembled  (via  the  scheme)  into  a  solution  for  TT.  A  design 
strategy  then  is  a  way  of  generating  an  instance  of  a  scheme  which  satisfies  a 
given  specification.  Any  program  scheme  admits  a  number  of  design  strategies. 
Dershowitz  and  Manna  [4]  have  presented  some  strategies  for  designing  program 
sequences,  if-then-else  statements,  and  loops. 


We  have  found  three  design  strategies  for  divide  and  conquer  algorithms. 
Bach  attempts  to  derive  specifications  for  subalgorithms  which  satisfy  the  con¬ 
ditions  of  Theorem  1.  If  sucessful  then  any  operators  which  satisfy  these 
derived  specifications  can  be  assembled  into  a  divide  and  conquer  algorithm 
satisfying  the  given  specification.  The  key  difficulty  is  to  ensure  that  the 
derived  specifications  satisfy  the  separability  condition,  so  eadi  design  stra¬ 
tegy  concentrates  on  this  goal. 

The  first  design  strategy,  called  ESI,  can  be  described  as  follows. 

ESI)  First  choose  a  simple  decomposition  algebra  as  E  and 
choose  simple  known  functions  for  the  auxiliary  functions, 
then  use  the  separability  condition  to  reason  backwards 
towards  output  conditions  and  to  reason  forwards  towards  input 
conditions  for  the  operators  in  T. 

Tb  see  how  we  reason  towards  specifications  for  the  operators  in  T,  suppose  that 
we  have  selected  a  £  “  ^-algebra  E  and  chosen  simple  known  functions  fg  for 
sff  S-§  and  let  the  given  problem  be  IT  “  <D,R,I,0>.  We  show  how  to  derive  output 
conditions  for  <riT  for  some  i€r.  First  use 

criE:x0»  as  0iB:<Zg,Z2,...,zn^>, 

fwij:xj*zj  as  pwi  j:<xj,zj>  for  j<ni  wi  j  ?  §,  and 

0:<x,z>  as  P  :<x,z>, 
s 

and  create  the  following  formula 
V<x0,x1,...,xn>|ESwi  V<z0,z1,...,zn>tT§wi 

lOigJ<xo#xi,»..  »xnj>  j^r  pwij:<xj  *  zj>  **  Pg^XQfZQ^.  (4.1) 


This  formula  differs  from  the  separability  condition  only  in  that  the  hypothesis 
OiT:<z0,Z2,...,zn>  is  missing.  We  desire  to  establish  the  separability  condi¬ 
tion  so  that  we  can  apply  Theorem  1  to  show  that  the  program  we  construct  satis¬ 
fies  its  specification.  we  know  that  Oi^,  it  is  a  relation  on  the  variables 
Zg,Z2,...#zn^.  Our  technique  is  to  reason  backwards  from  the  consequent  always 

trying  to  reduce  it  to  relations  expressed  in  terms  of  the  variables 
zg,z1,...,zn^.  If  we  can  show  that  the  assumption  of  an  additional  hypothesis 

of  the  form 

Q:<zq,z2, ... »zn.> 
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allowB  us  to  prove  (4.1) ,  i.e.,  if  we  can  show  that 
V ^Xo,xl/,,,/Xn^®  <Zq,z^,  fSwi 

[OigS<*o#x1,.«.,xni>  A  P«i  !<*j-*j>  A  Q:<z0fzlf...rZni>  «*  P§:<Xo,z0>] 

then  we  take  Q  as  the  output  condition  0iT  since  the  separability  condition  is 
satisfied  by  this  choice  of  0iT.  Formal  systems  for  performing  this  kind  of 
deduction  are  presented  in  [12,13].  We  shall  proceed  a  little  less  formally 
here,  making  use  of  our  intuition  for  guidance. 

We  can  also  use  (4.1)  to  obtain  input  conditions  for  our  composition  opera¬ 
tors.  The  input  condition  for  0lT  is  some  relation  on  z1,...,zn^  which  can  be 

expected  to  hold  when  aiT  is  invoked.  Suppose  that  by  reasoning  forwards  from 
the  relations  established  by  the  decomposition  operator  and  the  component  func¬ 
tions  we  infer  a  relation  Q' :<z1,...,zn^>,  i.e.,  that 

V<xQ,x1, .. .  ,xn>«  E3*1  V  <z0,z1, .. .  ,zn>«  T®wi 
[OigS<*Q,x1,...,xn^>  A  pwijs<xj#zj> 

Then  we  take  Q'  as  an  input  condition  to  ffiT. 

The  other  two  design  strategies  are  variations  on  DS1  and  use  the  separa¬ 
bility  condition  in  an  analogous  manner. 

DS2)  First  choose  a  simple  composition  algebra  as  T, 
second, choose  simple  known  functions  for  the  auxiliary  func¬ 
tions,  then  use  the  separability  condition  to  solve  for  the 
input  and  output  conditions  for  the  operators  in  E.  An  input 
condition  for  the  decomposition  operator  is  found  by  determin¬ 
ing  conditions  under  which  a  feasible  output  exists. 

D63)  First  dioose  a  simple  decomposition  2  “  1 -algebra  as  E  and 
choose  a  simple  composition  2-alg®bra  as  T,  then  use  the 
separability  condition  to  reason  backwards  towards  output  con¬ 
ditions  and  to  reason  forwards  towards  input  conditions  for 
the  auxiliary  functions. 

In  each  of  these  design  strategies  we  must  find  a  suitable  well-founded  ordering 
on  the  input  domain  in  order  to  ensure  program  termination.  Also,  the  guards 
are  chosen  to  reflect  the  domain  of  definition  of  the  decomposition  operators. 


Suppose  we  are  given  the  following  specification  for  sorting  a  list  of 
natural  numbers 

SORTsx* z  such  that  Bag:x>Bag:z  A  Orderedrz 
where  Sort -.LIST  (IN)  LIST(]N). 

Here  "Bag:x»  Bag:z"  asserts  that  the  multiset  (bag)  of  elements  in  the  list  z  is 
the  same  as  the  multiset  of  elements  in  x.  Ordered  is  a  predicate  which  holds 
when  applied  to  a  list  whose  elements  are  in  nondecreasing  order. 

The  selection  sort  algorithm  presented  in  Figure  4  will  be  derived  using 
design  strategy  D62.  Note  that  Ssort  makes  use  of  the  composition  algebra 
A*  <{LIST(]N)  ,  W},  {Nil, Cons)  >  discussed  in  Section  2.2.  In  choosing  A  as  the 
composition  algebra  it  is  not  obvious  ahead  of  time  that  a  decomposition  algebra 
can  be  found  which  works  with  A  to  solve  the  SORT  problem.  This  choice  of  alge¬ 
bra  should  be  regarded  as  a  tentative  hypothesis  about  how  sorted  lists  can  be 

c  cm  posed.  The  sort  set  of  A  is  S*  {c,S}  where  A  =  LIST(]N )  and  A  *  IN  .  The 

3  c 

operator  Nil  has  type  <X,§>  and  operator  Cons  has  type  <c§,§>,  Nil:A^-»A  , 

3 

and  ConssA0^  A  . 

3 

Naming  our  desired  program  Ssort  we  have  at  this  point, 

E  ■  LIST  (IN),  T  ■  LIST  (IN),  TC  =  IN 
s  s 

J  4-*  TRUE, 

§ 

P  :<x,z>  Bag:x*Bag:z  A  Ordered:z, 
s 

01T:«>,z>  ++  z*nil, 

02T:<Zg,b,z1>  Cons:<b,z1>  = z0, 

f  is  Ssort. 

3 

It  remains  to  determine  input  and  output  conditions  Jc  and  Pc  for  the  auxiliary 
function  fc,  the  domain  Ec,  and  the  output  conditions  01E  and  02E  for  the  decom¬ 
position  operators. 

Our  first  step  towards  determining  02E  is  to  instantiate  the  separability 
condition  as  far  as  possible  thus  obtaining 

V  <Xg,<a,x1»€  LISTON )  X  (ECX  LIST  (IN ) )  V<z0,<b,z1»«  LISTON )  X  (IN  X  LISTON ) ) 


Ssort:x  ■  if 


x*nil  ->  Nil^Id^'liNsx  0 
x^nil  ->  Cons •( Id X Sso rt )•  Select :x 
fi 

Select :x  ■  if 

Rest:x=nil  ->  COmposel*Id#snoC:x  0 
Restsx^nil  4  Compose2*  (IdX  Select)  *SnoC:x 
fi 

Gomposelsv  ■  <v,nil> 

Compose2:<v1,<v2,z»  ■  if 

vl  — v2  <v^,Cons:<v2,z»  0 

vl  — v2  <v2»Cons:<v1,z» 

fi 

Figure  4:  A  Selection  Sort  Program 

[02g:<Xg,<afx1»  A  Pc:<a,b>  A  Bagsx^  -  Bagsz^  A  Ordered^  A  Cbns:<b,Zj>  *  zQ 
Bag:x0  =  Bag:z0  A  OrderedsZg]  (4.2) 

“lb  construct  this  formula  we  have  made  the  following  substitutions  into  the 
separability  condition  of  Theorem  Is 

1.  replace  w2  by  da 

2.  replace  E  and  T  by  LIST  (IN) 

s  § 

3.  replace  E^  by  ECXLIST(IN)  and  l®8  by  IN  X  LIST  (IN) 

4.  replace  P  :<x,z>  by  Bag:x*Bag:z  A  Orderedsz 

3 

5.  replace  <rT:<brz1>  by  Cbns:<brz1> 

Since  we  desire  to  have  the  separability  condition  hold  in  order  to  apply 
Theorem  1  we  evidently  must  try  to  find  values  for  EC,PC,  and  02E  which  allow  us 
to  prove  (4.2). 


In  order  to  determine  02E  we  attempt  to  reduce  (4.2)  to  a  formula  dependent 
on  the  variables  Xg,  a,  and  only.  The  consequent  is  the  conjunction  of  two 
atomic  formulas  so  we  can  tackle  them  separately.  Consider  first 

Bag:x0»Bag:z0.  (4.3) 

This  is  equivalent  to 

Bag : xQ *  Bag :  Oons s <b , z^> 

since  Cons:<b,Zj>  »zQ  is  a  hypothesis.  The  fact 

Bag*Cons:<u,y>  » Add:<b,Bag:y> 
allows  us  to  reduce  the  goal  to 

Bag:xQ»  Add:<b,Bag:z1>. 

Then  since 

Bagsxj^a  Bagrzj^ 

is  a  hypothesis  we  further  reduce  to 

Bag:x0*  Add:<b,Bag:x1>. 

This  last  relation  is  almost  expressed  in  terms  of  variables  required  by  02E. 
Let  us  assume  a=*b  and  thus  let  Ec=  IN ,  Jc:x  TRUE,  Pc:<a,b>  a  =  b,  and 
let  fc  be  Id.  This  finally  reduces  (4.3)  to 


Bag:x0»  A3d:<a,Bag:x1>. 


(4.4) 


In  other  words,  if  we  had  (4.4)  and  a*b  as  additional  hypotheses  then  we  could 
establish  our  original  goal  (4.3).  We  will  use  (4.4)  in  the  output  condition 


Consider  now  the  second  goal 

Ordered :zQ 

which  via  the  hypotheses  Cons:<b,z1>  =  zQ  and  a  =  b  reduces  to 

Ordered *Oo ns : <a , z^>. 


The  fact 


u£Bag:y  A  Ordered:y  4=»  Ordered*Cons:<u,y> 


can  be  used  to  produce  the  equivalent  goal 

a^BagiZj^  A  Orderedrz^ 

Now  Ordered^  is  a  hypothesis  and  thus  is  assumed  to  hold.  The  remaining 

subgoal  can  be  transformed  via  the  hypothesis  Bagix^ =  Bagtz^  to 

a^Bagjx^. 

We  have  reduced  (4.5)  to  a  subgoal  which  is  expressed  in  terns  of  the  variables 


required  by  02g.  By  reasoning  backwards  we  have  shown  above  that  if 

a^Bagsx^  A  Bag:xQ  =  Arid :<a, Bag :x^> 


(4.6) 


holds  then  we  can  establish  (4.2).  We  take  (4.6)  as  02£. 

Before  constructing  the  specification  for  <t2e  we  construct  a  well-founded 

ordering  on  E  *  LIST (IN ) .  By  Proposition  1  we  can  construct  one  based  on  a  map- 
§ 

ping  from  LIST  (IN )  to  IN .  The  known  function  Length  maps  LIST  (IN )  to  IN  so 
define 

Xq  y  x^  iff  Length:xQ  >  Length:x^. 

By  Proposition  1  <E  rW>  is  a  well-founded  set. 

§ 

Using  (4.6)  as  02E  and  this  well-founded  ordering  on  LIST(IN)  we  create  the 
following  specification  for  <t2e  in  accord  with  condition  (1)  of  Theorem  1. 

<t2e:Xq  =  <a,x1>  such  that  a^Bagsx^  A  Bag:xQ  =  Add:<a,Bag:x0>  A 

Length : xQ>Length : x  ^ 
where  <te:LIST(IN)  INXLIST(IN) 

By  inspection  we  see  that  there  is  no  feasible  output  when  the  input  is  nil  so 
we  add  the  input  condition  *x?  nil"  obtaining 

<t2e:xq  =  <a ,x1>  such  that  xQ?nil  =»  Bag:xQ  =  Add:<a,Bag:xQ>  A 
a^Bagzx^  A  Length:x0>Lengi.n:x1 
where  <te:L  1ST  (IN)  IN  X  LIST  (IN). 

In  [13]  we  show  how  to  derive  the  input  condition  for  decomposition  operators  by 
formal  means.  In  the  next  section  we  derive  a  divide  and  conquer  algorithm, 
called  Select,  for  this  problem. 

From  the  input  condition  of  Select  we  obtain  the  guard  x/ nil.  The 
intended  algorithm  at  this  point  has  the  form: 


Ssort:x  *  if 


q^x  -»  Nil*f^*<TlE:x  Q 

xf  nil  Cons*  (IdX  Ssort)  *Select:x 


Ihe  construction  of  a  specification  for  <rlE  is  similar.  First,  we  instan¬ 
tiate  the  separability  condition  obtaining 

Vxq«LIST(IN)  VzQi  LISTON) 


4 
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[Olgsxg  A  NilsO*z0  Bagsx0* Bag:z0  A  OrderedtZg]  (4.7) 

In  creating  this  formula  we  have  replaced 
wl  by  X 

and  T  by  LIST  (IN) 

3  3 

P  by  Bag:x0»  Bag:z0  A  Ordered:zQ] 
s 

crlT  by  Nil 

and  performed  some  simplifications. 

Again  we  treat  the  two  conjixicts  of  the  goal  separately.  Since  zQ  is  nil 
then  the  goal  Ordered:z0  holds.  The  other  goal 

Bagsz0  ■  Bag:x0 

is  equivalent  to 

x0“  nil 

since  Zg  =  nil.  We  use  "Xg*nil"  as  the  output  condition  of  01E  and  create  the 
specification 


o,lE:x(j=z  such  that  xQ  =  nil 
where  <rlE:LIST (IN)  {<>}. 

The  function  liN  satisfies  this  specification. 

Putting  together  all  of  the  operators  derived  above,  we  obtain  the  follow¬ 
ing  selection  sort  program: 

Ssortix  *  if 

x=  nil  -*>  Nil'Id^liNtx  0 
x^  nil  Oons*  (IdX  Ssort)  *Select:x 
fi 


vhich  can  be  simplified  to 


Ssort :x 


if 

x=  nil  x  Q 

X?*  nil  -»  Cons*  (IdX  Ssort) ‘Select :x 
fi 


4.3  Synthesis  of  Select 

In  the  previous  section  we  derived  the  specification 


-2 


Select :Xq  =*  <a,x^>  such  that  Xg^nil  -fr  Bagsx0*  Add:<a,Bag:xi>  A 
a£ Bag:x1  A  Length:xg  >  Lengthix^. 
where  Select  :LIST(3N )  -»  IN  X  LIST  (IN ) 

The  synthesis  of  Select  proceeds  according  to  the  design  strategy  DS2.  First, 
we  choose  a  simple  decomposition  algebra  for  the  input  domain  -  the  set  of  non- 
nil  lists  of  natural  numbers.  The  algebra  A=<{1N ,LIST(lN)},{tsiL,snoC}>  is 
satisfactory  since  all  non-nil  lists  can  be  decomposed  into  non-nil  lists  and 
natural  numbers  by  tsiL  and  anoC.  The  sort  set  is  S=  {c,§},  tsiL  has  type 
<3,0,  and  snoC  has  type  <§,c§>.  We  have 

Bc-», 

E  *  LIST  (IN )  ,  T  -  IN  X  LISTON ), 
s  § 

J^:Xq  4=»  Xq?  nil, 
s 

Pg:<x0,<a,x1  »  <=>  Bag:xg  =  Add:<a,Bag:x^>  A  a£Bag:x^  A  Length :Xg>Length: 
<t1e  is  tsiL,  and  <r2E  is  snoC. 

tsiL  is  defined  when  Rest:x=nil  so  this  condition  is  used  as  snoC  will 

decompose  a  non-nil  list  x  into  a  number  and  a  non-nil  list  when  Rest:x^nil,  so 
we  take  this  condition  as  q2.  Our  intended  algorithm  now  has  the  form 

Select :Xq  ■  if 

Rest:xQ  =  nil  <TlT*fc*tsiL:Xg  0 
Rest:xQ^nil  -»  o2p»  (fcX  Select)  *snoC:Xg 
fi 

It  remains  to  determine  the  output  domain  Tc,  the  input  and  output  conditions  Jc 
and  Pc  for  the  auxiliary  function  fc,  and  the  composition  operators  cLp  and  <t2t. 

E^  =  LIST(1N)  is  made  a  well-founded  set  exactly  as  in  the  previous  example 

by  defining  Xg^x^  iff  Length:Xg  >  Lengthix^.  snoC  and  tsiL  clearly  preserve 
this  ordering. 

In  pursuit  of  an  output  condition  for  ct2t  (a  relation  dependent  on  the 
variables  aQ,  zQ,  v,  a^,  and  z^},  we  first  instantiate  the  separability  condi¬ 
tion  with  the  result 

V«a0,z0>,<v,<a1,z1»>«lNXLIST(]N))X  (TCX  (IN  X  LIST(1N ) ) ) 
V<x0,<u,x1»tLIST(]N)  X  (IN  X  LIST  (IN)} 

(snoCtXQ*  <u,x^>  A  Bagrxj^®  Add:<a1,Bag:z1>  A  a^Bagsz^  A 
Lengthy  >  Lengthy  A  Pc:<u,v>  A  02T:«a0,z0>,<v,<a1,z1>» 


N 


Bag:x0«  Add:<ag,20>  A  a0£Bag!Z0>  A  LengthsXg  >  LengthsZg].  (4.8) 

%  create  this  formula  the  following  substitutions  were  made 
cS  replaces  w2 

LIST  (IN)  replaces  E  and  INXLIST(IN)  replaces  T 
s  s 

IN  replaces  Ec 

snoC:x0*  <u,Xj>  replaces  ct2e:<x0,x1,x2> 

BagsxjL* Adds^^rBagsz^  A  a^Bagsz!  A  Lengthy  >  Length sz^ 
replaces  P  :<xi,<ai,zi» 

S 

Again  we  consider  the  goals  in  (4.8)  one  at  a  time.  Hie  goal 

a0£Bag:z0 

is  already  expressed  in  the  form  we  desire,  so  we  can  use  it  in  c2p.  Consider 
the  goal 

Bagsxg  =  Adds  <a0,Zg>. 

We  have 

Bagsxg  3  Bag«Oons:<u,x1>  (by  hypothesis) 

*  Add:<u,Bag:Xj> 

3  Adds<u,Add:<a1,z1»  (by  hypothesis) 

Suppose  that  we  let  u  =  v  and  thus  let  TC=H,  Pc:<u,v>4"»u*  v,  and  fc  be  Id.  We 
have 

Add:<v,Add:<a1,z1»  *  Add:<a0,z0>. 

This  condition  is  expressed  in  the  desired  variables  so  we  use  it  in  02^. 
Finally,  consider  the  goal 

Lengthsxg  >  Lengthszg.  (4.9) 

In  the  following  derivation  we  use  Cardsx  to  denote  the  cardinality  of  the  bag 
x.  We  then  have 

Length:x0  3  Length*Oons::<u,x1> 

3  1  +  Lengthsx^ 

3  1  +  Card'AddsOj^Bagsz^ 

3  2  +  Card'Bagsz^ 

3  2  +  Lengthsz^. 


(using  hypothesis 
Bag sx^aAdd: <a ^ ,Bag :  *1» 
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c 


I 


4 


I 


4 


< 


Thus  we  have  reduced  (4.9)  to 

2  +  Length: Z|  >  Length :zg. 

Putting  all  these  conditions  together  we  obtain 

Add:<v,Add:<a1,Bag:z1»*  Add:<a0,Bag:z0>  A 
a0£Bag:z0  A  2  +  Length :Zj>Length:zQ 

and  use  it  as  02^.  We  derive  an  input  condition  by  reasoning  forwards  from 

snoCsxQ*  <u,x1>  A  Bag:x^  *  Add:<a^,Bag:Zj>  A  a^Bagtz^  A  Lengthrx^  > 
LengthsZj^  A  u«*v 

towards  a  relation  expressed  in  terms  if  the  variables  v,  a1#  and  z^.  The  only 
useful  inference  seems  to  be 

a^Bag^ 

so  we  take  this  as  the  input  condition  and  form  the  specification 

«T  :<v,<a1,z1»=  <a0,Zg>  such  that  a^Bagrzj  =■►  *o— Bag:z0  A 
Add:<v,  Add:<a1,Bag:z1»* Add:<a0,Bag:z0>  A  2  +  LengthtZj^  >  Length :zQ 
where  o^slN  X  (IN  X  LIST  (3N ) )  -4  IN  X  LIST  (]N ) 

A  conditional  program,  call  it  Compose2,  can  be  constructed  satisfying  this 
specification. 

Gompose2;<v,<a^,z1»  =  if 

v<  ai  4  <v,Cons:<a^,z^»Q 
vlal  <a^,Cons:<v,z1» 
fi 

We  construct  01T  in  a  similar  manner.  The  separability  condition  is  par¬ 
tially  instantiated  yielding 

V«a0,z0>,v>ilN  XLIST(3N))XIN  V<xQ,u>«  LIST(IN)  X  IN 
(tsiL:XQ=*  u  A  u=*v 

Bag:x0=»  Add:<a0,Bag:z0>  A  a0£Bag:Zg>  A  Length:Xg>Length:Zg] .  (4.9) 

Dealing  first  with  the  goal 

Bag:Xg»  Add:<a0,Bag:zQ> 

we  have 

Bagsxg  =  {u}  =  {v} 
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thus 


{v}  ■  Md:<a0,Bag:z0> 


or  equivalently 

aQ»v  A  *0“  nil. 

Again  the  second  goal  ag£Bag:z0  is  already  reduced  to  the  desired  form.  Con¬ 
sider  now  the  final  goal 

Leng th : Xq >Leng th : z q . 

We  have  Length :xQ  »  1  thus  the  goal  must  reduce  too 

Length :zq  *  0 

or  equivalently,  Zg*nil. 

Putting  together  all  these  conditions  we  obtain 

01jj<Zg,v>  zg »  nil  a  a0»v 

and  create  the  specification 

<rlT:v>  <a,z>  such  that  z-nil  A  a»v. 
vhere  orlpiLISTflN)  3NX  LISTEN). 

The  function  Camposel  is  easily  shown  bo  satisfy  this  specification: 

Composel:v  *  <vrnil>. 

The  functions  derived  above  are  assembled  into  the  following  program: 

Select :xq  ■  if 

Rest:xg  ■  nil  OomposeWd^tsiL^g  0 

Rest:Xg^nil  Gompose2*  (Id X  Select)  »snoC:x0 

fi 

The  ccmplete  selection  sort  program  derived  in  this  section  is  listed  in  Figure 

4.  It  can  be  transformed  into  the  simpler  program  listed  in  Figure  1. 

5.  More  Examples 

5.1.  Cartesian  Product  of  Two  Sets 

In  this  section  we  illustrate  the  design  of  a  divide  and  conquer  algorithm 
using  desigi  strategy  D63.  The  problem  of  forming  the  cartesian  product  of  two 
sets  can  be  specified  by 
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CART_PROD:<x,x'>-  z  such  that  z»  {<a,b> |a€  x  and  bttx'} 
where  CART_PR0D:SET(3N )  X  SET(IN)  SET(1N  X  IN) . 

Here  SET(R)  denotes  the  data  type  of  finite  sets  whose  elements  belong  to  the 
data  type  R. 

First,  we  choose  a  decomposition  algebra  on  SET  (IN )  X  SET  (IN )  and  then  a 
composition  algebra  on  SETONXM).  A  simple  decomposition  algebra  on  sets  is 
easily  found: 

A1  *  <{SET(IN )  ,3N }, {Split, ihP}> 

where 

Al  *  SET  (IN) 

§ 

Alc-W 

crl^*  ihP:SET(R)  -»  {<>}  (type  <X,3» 

fl^Ai*  Split : SET (R)  ->  RX  SET (R)  (  type  <c§,§»  . 

ihP  decomposes  the  empty  set  into  the  0-tuple  O  and  Split  decomposes  a  nonempty 
set  into  an  element  and  the  remainder  of  the  set.  ihP  is  defined  only  on  the 
empty  set  and  Split  is  defined  only  on  nonempty  sets  so  together  these  operators 
decompose  every  finite  set. 

However,  our  input  domain  is  2-tuples  of  sets.  We  shall  apply  the  above 
decomposition  operators  to  the  first  component  of  the  tuple  and  leave  the  second 
unchanged.  The  result  is  the  5  ** 1 -decomposition  algebra 

A2  =  <{1N  X  SET(]N )  ,SET(IN )  X  SET  (IN ) } ,  {ihP*l ,  Trans*  (SplitX  Id2)}>. 

where 

A2  *  SET  (IN)  X  SET(3N)  , 

3 

A2C=  IN  X  SET  (IN) , 

<T1e=  ihP*l:SET(lN}  XSET(3N)  {<>}  (type  <X,3», 

<T2g  *  Trans*  {SplitX  Id2)  :SET(3N)  X  SET(]N)  (IN  X  SET(1N ) )  X  (SET  (IN )  X  SET  (IN) ) 

(type  <c3,§>) . 

<t2e  makes  use  of  two  new  functions.  The  function  Id2  returns  a  2-tuple  contain¬ 
ing  copies  of  its  input,  i.e.,  Id2:x*<x,x>.  The  function  Trans  transposes  a 
tuple  of  tuples  as  follows 


Trans :<x1#...,xn>  «<y1#...,ym> 

where  x1»<x11,...,xlm>  and  yj-<x1j,...rxnj>  for  l<i<n  and  l<j<m.  R>r 
example, 

Trans:«l,2,3>,<4,5,6»»  «1,4>,<2,5>,<3,6». 

G2p£  braves  as  follows  on  input  <{1,2,3}, {4, 5}>: 

Trans* (SplitX  Id2)  :<{1,2,3}, {4,5}>  »  Transs«l,{2,3}>,<{4,5},{4,5}» 

»  «1,{4,5}>,  <{2,3},{4,5}». 

Before  choosing  a  composition  algebra  for  T  we  must  decide  v*iat  can  the 
auxiliary  output  type  Tc  be  given  that  Ec  is  TH  X SET (IN).  Since  Ec  appears  to 
be  a  slightly  modified  form  of  E§  (-  SETT  (IN )  X  SET  (3N )  )  we  might  conjecture  that 

the  auxiliary  function  fc  is  similar  to  the  principal  function  f  and  thus  use 
SET(1N  X  iN )  as  T_.  The  composition  operator  cr2«  then  is  some  mapping  from 

v 

SET  (]N  X  IN  )  X  SET  (IN  X  IN  )  to  SET(lNXlN)  -  we  can  use  the  set-union  operator 
Union.  <rlT  is  some  mapping  from  {<>}  to  SET  (IN  X  IN)  -  we  can  use  the  function 
Phi,  which  maps  the  0-tuple  into  the  empty  set. 

So  far  we  have  developed  the  program  structure 

CP:<x,x'>  *  if 

x-  {}  -»  Phi*Id0*ihP*l:<x,x'>  0 

x/{}  Union*  (fcX  CP)  *Trans*  (SplitX  Id2)):<x,x’>  0 

fi. 

In  order  to  determine  a  specification  for  fc  we  create  the  following  instance  of 
the  separability  condition 

V«x0,x,0>,<a,x'1>,<x2,x,2»«  (SET (IN )  X  SET (]N ) )  X  (IN  X  SET(1N ) )  X  (SET(3N )  X  SET(1N ) ) 
V<Z0,Z1,Z2>«SET(3N  X1N)  XSET(3N  X  IN )  X  SET(]N  X  IN ) 

[Split :xQ  ■  <a,x2>  A  x'^x'g  A  x'2-x'0  A  Pc:«a,x’1>,z1>  A 
z2»  {<u,v>|uix2  and  v€x'2}  A 

z0« Union: <z1,z2>  z0»  {<u,v>lui xQ  and  vtx'g}  ].  (5.1) 

Since  we  are  trying  to  reason  backwards  to  an  expression  for  Pc:«a,x'j>,Zj>  we 
seek  to  reduce  the  goal  to  a  relation  aver  the  variables  a,  x'^,  and  z^.  Con¬ 
sider  the  goal 

Zq*  {<u,v>|u#Xg  and  v€x'0}.  (5.2) 

The  set  expression  on  the  right  hand  side  can  be  transformed  as  follows. 


I 
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{<u,v>|uix0  and  vCx'g}  ■  {<u,v>|ui  Add:<a,x2>  and  vCx'q} 

(since  Splitsx-  <a,y>) 

■  {<u,v>|(u»a  or  ufx2)  and  v€x'g} 

■  Union:  <{<u,v>|u- a  and  vIx'q},  {<u,v>|u€x2  and  v€x'g}> 

»  Union:  <{<u,v>|u» a  and  v€x'^},  {<u,v>|u€x2  and  vCx'2l> 
(since  x'i“x'q  and  x'2*x'g) 

*  Union:<{<u,v>|u“  a  and  vtx'^lrZ^. 

(since  zQ«  {<u,v>|u€x0  and  v€x'q}). 

Using  the  hypothesis  Zg»  Union:  <ZpZ2>  we  reduce  (5.2)  to 

Union: <z1/Z2>  “Union: <{<u,v>|u*  a  and  v€x'^},z2> 


which  holds  if 


Zj*  {<u,v>Iu®a  and  v€x'g) 


(5.3) 


holds.  So  if  we  take  (5.3)  as  an  additional  hypothesis  then  (5.1)  holds.  We 
take  (5.3)  as  our  output  condition  for  fc  and  create  the  specification 

CP_aux:<a,x>“  z  such  that  z*  {<u,v>|u=a  and  v€x} 

CP_aux  :IN  X  SET  (IN )  -»  SET  (IN  )  X  SET  (]N ) . 

A  divide  and  conquer  algorithm  for  this  problem  can  easily  be  constructed  using 
desigi  strategy  0S1  (along  the  same  lines  as  Ssort) .  The  complete  algorithm  for 
producing  the  cartesian  product  of  two  sets  is  listed  in  Figure  5.  The  reader 
can  easily  find  several  ways  to  simplify  CP  and  CP_aux  without  affecting  their 
correctness. 

5.2  Evaluating  a  Proposition 

In  this  section  we  present  a  divide  and  conquer  algorithm  for  evaluating  a 
proposition.  It  provides  an  example  of  a  more  complex  signature  and  illustrates 
a  programming  style  suggested  by  our  treatment  of  divide  and  conquer  algorithms. 
Given  a  well- formed  proposition  F  and  an  interpretation  I  the  problem  is  to  com¬ 
pute  the  truth  value  of  F  wder  I.  Relevant  portions  of  the  abstract  data  types 
for  propositions,  interpretations,  and  truth  values  are  presented  below. 

A  data  type  PROP  representing  well-formed  propositions  can  be  described 
abstractly  as  follows.  Let  LETTERS  be  a  set  of  symbols  called  letters.  PROP  is 
generated  from  LETTERS  using  the  constructors 


x«  {}  Phi*Id<>*lhP*ls<xfx,>  Q 

%¥  O  -*  Union*  (CP__auxX CP)  *Trans*(SplitXld2)  :<x,x'>  Q 

tl. 

CP_aux: <a,x>  ■  if 

x»  {}  Phi*Id<>*ihP*2:<a,x>  Q 

xj*{)  ->  Add  •(  Id  XCP_aux)*Trans*(Id2X  Split)  :<a,x>  0 

El* 

Figure  5.  Farming  the  Cartesian  Product  of  Two  Sets. 


Gompose_atom : LETTER ->  PROP,  which  converts  a  letter  into  an  atomic  proposition, 
Compose_neg s PROP PROP,  which  forms  the  negation  of  a  proposition, 

Compose_con j : PROP  X  PROP  ->  PROP ,  which  forms  the  conjunction  of  two  propositions, 
Ccmpose_disj : PROP X  PROP -*  PROP,  which  forms  the  disjunction  of  two  propositions. 
In  other  words  we  have 

<{ PROP, LETTERS),  {Ccmpose_atom,  Ccmpose_neg,  Ccmpose_conj,  Compose_disj}> 

as  a  composition  algebra  for  PROP.  Each  of  these  constructors  are  uniquely 
invertible  and  we  have  the  corresponding  decomposition  algebra 

<{ PROP, LETTERS),  {Decompose_atom,  Decompose_neg,  Decomposejcon j ,  Decompose_disj)> 

where 

Decampose_a tom: PROP  -»•  LETTER,  vhich  decomposes  an  atomic  proposition  into  its 
constituent  letter, 

Decompose_neg : PROP PROP,  which  decomposes  a  negation  into  its  constituent  pro¬ 
position, 

Decompose_conj : PROP  ->  PROP  X  PROP ,  tfiich  decomposes  a  conjunction  into  its  con¬ 
stituent  propositions,  and 


Decompose_disj:PRCP  PROP  X  PROP,  which  decomposes  a  disjunction  into  its  con¬ 
stituent  propositions. 


These  decomposition  operators  are  defined  when  the  predicates  Atom,  Meg,  Conj, 
Disj  are  true  respectively.  For  example,  Atom:F  holds  exactly  when 
Decompose_atom:F*  oc  for  some  ocf  LETTER.  We  also  have  F»  Compose_atom:oc. 
Similarly,  OonjsF  holds  iff  Decompose_conj:F*  <G,H>  for  some  G,H#PROP  and  thus 
F *  Ccmpose_con j  s <G , H> .  More  formally  the  following  axioms  hold  for  all 
ocC  LETTER  and  F,GfPROP 

Decompose_a  tom  •  Cbmpose__a  tom :  oc  =  oc 

Decompose_neg  •Compose_neg :  F  =»  F 

Decompose_conj  •Cbmpose_conj :  <F,G>  =  <F,G> 

Decompose_dis j •Oomposejdisj : <F,G>  »  <F,G> 

A  tom  •  Compos  e_a  tom :  oc  =  TRUE 

Neg  •Gompose_neg ;  F  ■  TRUE 

Conj  •Gompose_conj :  <F,G>  =  TRUE 

Di s j  *Compose_dis j : <F,G>  »  TRUE 

The  input  for  our  proposition  evaluater  also  includes  an  interpretation 
If  INTERPRETATION  which  associates  boolean  values  with  each  letter.  We  use  the 
operator  Assoc: LETTER X  INTERPRETATION-*  B  to  determine  the  value  of  a  given 
letter  under  an  interpretation. 

The  output  domain  for  our  proposition  evaluater  is  B ,  which  has  the  compo¬ 
sition  algebra 

<{B },{Id,Not,And,Or}>, 


vhere 

Id:B-»B  (the  identity  operator) , 

Not:B  B  (the  usual  negation  operator), 

And:BXB-»B  (the  usual  logical  and  operator), 

Or:B  X  B  B  (the  usual  logical  or  operator) . 

A  divide  arri  conquer  algorithm,  called  Prop_eval,  for  evaluating  a  proposi¬ 
tion  is  listed  in  Figure  6.  Here  is  an  example  computation  of  Prop_eval:  Let  F 
denote  the  representation  of  the  proposition  (A  A  B)  V  -A  and  Fj_  and  F2  the 
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K 


« 


Propjeval  :<F,  I>= 
if 


Atoms  P 
NegsF 
OonjsF 
DisjsF  -> 


Id-Assoc- (Decompose  r torn X  Id) : <F, l>  0 
Not • Propjeval • (De compos e_neg X  Id) s  <F, I>  Q 

And  •  (Propjeval  X  Prop_eval )  -Trans  •  (Decomposejcon j  X  Id2) :  <F,  I>  Q 
Or  • (Propjeval X  Propjeval ) -Trans • (Decomposejiis j X Id2) : <F, l>  0 


Figure  6.  A  Proposition  Evaluator 


propositions  A  A  B  and  -A  respectively  thus  F* Qompose_Disj:<F^F2>.  Let  I  be 
an  interpretation  under  which  letters  A  and  B  have  the  values  TRUE  and  FALSE 
respectively. 

Propjeval :<F,I>  *  Or-  (Propjeval  X  Propjeval)  -Trans  -  (Decompose_disjX  Id2)  :<F,I> 

(since  DisjsF  holds) 

«  Or-  (Propjeval X  Prop_eval)  -Trans s«F1,F2>,<I#I» 

*  Or  •  (Propjeval  X  Propjeval )  s  «F1 ,  I> ,  <F2 , 1» 
a  Ors<FALSEfFAISE> 

»  FALSE 

vrtiere  Propjeval sCF^D  and  Propjeval :<F2,I>  both  evaluate  to  FALSE  in  a  similar 
manner. 

6.  Concluding  Remarks 

We  have  presented  a  class  of  program  schemes  vrtudh  provide  a  normal-form 
for  expressing  the  structure  of  divide  and  conquer  algorithms.  Based  on  these 
schemes  we  have  gi\«n  a  theorem  relating  the  correctness  of  a  divide  and  conquer 
algorithm  to  the  correctness  of  its  parts.  The  theorem  gives  rise  to  several 
strategies  for  designing  divide  and  conquer  algorithms  and  we  used  these  stra¬ 
tegies  to  derive  several  algorithms. 

By  using  syntactic  program  schemes  to  express  the  structure  of  a  diverse 
class  of  algorithms  we  have  the  disadvantage  that  some  instances  will  not  be  in 
their  most  desireable  form.  However  this  approach  to  representing  programming 
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knowledge  has  a  number  of  important  advantages.  1)  Schemes  express  the  essen¬ 
tial  structure  of  algorithms  in  the  class  in  a  clear  and  precise  way .  2)  Gen¬ 
eric  proofs  of  correctness,  as  provided  here  by  Theorem  1,  can  be  given.  The 
correctness  of  a  divide  and  conquer  algorithm  is  reduced  to  the  simpler  task  of 
establishing  the  conditions  of  Theorem  1.  3)  By  providing  the  essential  struc¬ 
ture  of  algorithms  in  a  class  schemes  may  suggest  uniform  approachs  to  designing 
them. 

The  desigi  strategies  we  have  presented  involve  choices  which  may  be  weakly 
motivated  and  we  may  need  to  try  several  alternatives  before  we  find  one  which 
works.  The  resulting  desigi  process  can  be  represented  by  a  tree  of  derivation 
paths,  some  of  which  lead  to  useful  algorithms,  some  of  which  are  dead  ends. 
Aside  from  this  control  problem  the  desigi  strategies  can  be  formalized  for  use 
in  automatic  program  synthesizers.  However  at  present  it  is  not  clear  whether 
an  adequate  collection  of  heuristics  can  be  found  to  guide  an  automated  design 
process  through  the  design  space  without  human  insight. 

The  top-down  style  of  programing  suggested  by  our  design  strategies  can  be 
summarized  as  follows.  First  we  require  a  clear  understanding  of  the  problem  bo 
be  solved,  expressed  formally  by  specifications.  If  a  divide  and  conquer  solu¬ 
tion  seems  both  possible  and  desireable  we  begin  to  explore  the  input  and/or 
output  domains  looking  for  simple  decomposition  and  composition  algebras  respec¬ 
tively.  Depending  on  our  choice  we  follow  one  of  the  design  strategies  dis¬ 
cussed  above.  Using  our  intuition  and/or  proceeding  formally  using  the  separa¬ 
bility  condition  we  derive  specifications  for  the  inknown  operators  in  our  pro¬ 
gram.  These  specifications  are  then  satisfied  either  by  target  language  opera¬ 
tors  or  by  (recursively)  designing  algorithms  for  them.  Once  a  correct  but  pos¬ 
sibly  over-structured  or  inefficient  algorithm  has  been  constructed  we  subject 
it  to  equivalence-preserving  transformations  resulting  in  a  more  satisfactory 
design. 
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